Permalink
Browse files

Merge pull request #247 from jelmersnoeck/xss-fix-ajax-search

XSS: Escape the input on ajax searches.
  • Loading branch information...
2 parents f975b42 + 641e27b commit 03e8f5b53f193a87116b3875eec39769d5c07114 Dieter Vanden Eynde committed Mar 1, 2012
@@ -23,7 +23,8 @@ public function execute()
parent::execute();
// get parameters
- $term = SpoonFilter::getPostValue('term', null, '');
+ $searchTerm = SpoonFilter::getPostValue('term', null, '');
+ $term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
$limit = (int) FrontendModel::getModuleSetting('search', 'autocomplete_num_items', 10);
// validate
@@ -214,7 +214,8 @@ public function parse()
private function validateForm()
{
// set values
- $this->term = SpoonFilter::getPostValue('term', null, '');
+ $searchTerm = SpoonFilter::getPostValue('term', null, '');
+ $this->term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
$this->length = (int) SpoonFilter::getPostValue('length', null, 50);
// validate
@@ -365,7 +365,8 @@ protected function parsePagination()
private function validateForm()
{
// set search term
- $this->term = SpoonFilter::getPostValue('term', null, '');
+ $searchTerm = SpoonFilter::getPostValue('term', null, '');
+ $this->term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
// validate
if($this->term == '') $this->output(self::BAD_REQUEST, null, 'term-parameter is missing.');
@@ -22,7 +22,8 @@ public function execute()
parent::execute();
// get parameters
- $term = SpoonFilter::getPostValue('term', null, '');
+ $searchTerm = SpoonFilter::getPostValue('term', null, '');
+ $term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
// validate
if($term == '') $this->output(self::BAD_REQUEST, null, 'term-parameter is missing.');

0 comments on commit 03e8f5b

Please sign in to comment.